Phone scams have cost Americans 29.8 Billion USD in 2020-2021. 1 in 3 Americans has fallen victim to phone scams, and 1 in 5 has been defrauded over the phone on more than one occasion.

Vishing and phone scams have seen a steady increase since the COVID pandemic. A growing number of businesses are being targeted with a combination of vishing and smishing.

To help you stay ahead of the cybercriminals, we have written this guide that shares everything you need to know about vishing and how to protect yourself from it.

This guide answers the following questions about vishing:

1. What Is Vishing?

2. How Does Vishing Work?

3. What Is The Difference Between Vishing And Smishing?

4. What Are The Common Vishing Techniques

5. Examples Of Vishing Calls

6. How To Identify Vishing Scams?

7. How To Protect Against Vishing?

8. What To Do If You Get Vished?

Vishing is a type of scam that is done primarily using phone calls or voice messages. The term “Vishing” is formed by combining “voice” and “phishing”. It falls under the phishing umbrella and has the same goal of eliciting sensitive information and using it for financial gain.

The stolen information can be used for launching further attacks, identity theft, or committing financial fraud. In most cases, once identified as a potential target, the phone number and related information are sold on the dark web to other cybercriminals.

Vishing attacks use tactics and social engineering techniques, similar to those used in phishing attacks, to defraud the victims. Although vishing is less of a cybersecurity threat and more of a scam, it can be part of a larger cyberattack that combines with smishing and phishing to gather information, which is then used for launching targeted cyberattacks on businesses.

While voice calls are the main medium used in vishing attacks, they do not exclusively depend on them. Vishing attacks often utilize SMS, social media messaging, and voicemails as part of their campaign.

Vishing attacks often start with a text message, sent to a long list of phone numbers, asking the recipients to make a phone call to the attacker’s number. The scammers usually pose as authority figures such as government officials, clients, or managers. The victims are then deceived into sharing sensitive data such as their banking information, credit card details, passwords, etc.

In other vishing attacks, the scammers do not initiate the phone call but rely on instigating curiosity, fear, or trust of the victims so that they are convinced to call the scammers. Only in rare cases will the fraudsters ask for wire money or payments right away.

Vishing attacks are becoming more dangerous because a growing number of attackers are using the personal data of the victims to make their calls believable. The personal data used in such attacks are acquired from previous cyber attacks or bought on the dark web.

Vishing and smishing are closely related since they both use smartphones as a medium. They are often used together with smishing messages preceding vishing calls and vice versa.

There is a lot of overlap between the two but the main difference is that while vishing relies on voice calls and voice messages, smishing relies mainly on text messages.

In a vishing attack, although the initial contact may be via SMS, it only serves as bait or as confirmation that the phone number belongs to someone. There will always be a voice contact at some point of time in a vishing attack. But voice contact is not necessary for a smishing attack.

Cybercriminals use a number of different tools, techniques, and technologies to carry out vishing attacks. Here is a list of the common vishing techniques:

1. Robocalls

2. Caller ID Spoofing

3. VoIP Calls

4. Dumpster Diving

5. Phishing

1. Robocalls

Robocall is the most common vishing technique. In the simplest form, it involves a prerecorded call sent to a large number of phone numbers. The phone number may have been bought or randomly generated. The prerecorded voice asks the recipient to state their name and other information, which are recorded and used by the scammers.

In some robocalls, computer-generated voice messages are used as bait and once the recipient engages with the call, it is transferred to a human agent who continues the scam. The scammers often direct the victims to an attacker-controlled website or convince them to download software that gives the attackers remote access to their phone or computer. 

2. Caller ID Spoofing

Caller ID spoofing involves using software to create fake numbers that are identical to phone numbers belonging to legitimate institutions. The scammers pose as representatives of tax agencies, banks, police, or other government agencies.

The caller will try to create fear or a sense of urgency to prevent the victim from thinking clearly and to force them to divulge sensitive information quickly. Because of the spoofed phone numbers, such vishing calls can be difficult to identify.

3. VoIP Calls

Vishing scammers regularly cycle numbers because they get marked as spam, are blocked, or authorities get on their trail. And Voice over Internet Protocol (VoIP) technology allows scammers to create a large number of fake phone numbers that they use to carry out their attacks while avoiding detection.

4. Dumpster Diving

Dumpster Diving is a technique used to gather information for targeted cyber attacks. It involves searching through trash to find information that could be used to carry out an attack or gain access to a computer.

The scammers don’t necessarily have to find passwords or access codes written on post-it notes in the trash. It is sufficient for them to find phone or email lists, organizational charts, project plans or estimations, etc. to prepare and launch vishing attacks.

5. Phishing

Phishing emails are used by cybercriminals to gather information about potential targets. If you respond to a phishing email, it confirms you as a valid target. Often our email signatures contain phone numbers and links to social media accounts. And if our response contains this signature, the scammers gain additional information that they can use during the vishing calls.

Here are some of the common vishing scam themes:

1. Bank Account Or Credit Card Related Calls

Bank account and credit card-related vishing calls are very common. These can come in the form of either a prerecorded message or a person at the other end. The pretext of such calls include:

• A claim of account compromise

• Updation of personal details

• Reverse a non-existent transaction

In order to fix the purported issues, the caller will try to convince you to share your login credentials, two-factor authentication (2FA) code, etc. to gain unauthorized access to your bank account.

2. IRS And Tax Return Related Calls

IRS and tax return-related vishing calls are common around the tax filing season. Tax-related scams come in many variations such as wrong filings, unpaid dues, refunds, etc. Threats of bank account seizure and arrest warrants are common scare tactics used in such vishing calls.

3. Medicare Or Social Security Scam Calls

Vishing calls are the most common method used by scammers for Medicare and Social Security-related scams. The fraudsters impersonate government agents and claim to be calling to suspend, renew, or reactivate the victim's social security number.

These kinds of calls are typically directed at older adults. The scammers make it a point to call landline numbers during office hours on weekdays when they expect only seniors and older adults to be at home. The scammers try to gather social security numbers, medicare numbers, and financial information from the victims. The scammers fraudulently use the gathered information for financial gain or sell them to others.

4. Tech Support Scam Calls

These types of scams involve scammers pretending to be tech support calling to fix an issue with a device or an application. They will direct the unsuspecting victim to download a remote desktop access software and give them control over the device.

After gaining control over the device, they display fake error messages or virus warnings and pretend to solve the problem. At the end of the call, they charge a fee for fixing the issue that did not exist in the first place.

Tech support scams also typically target older adults since the scammers believe that they will not be tech-savvy, hence unable to spot their scam.

Here is a list of the telltale signs of vishing scams: 

1. The calls are unsolicited

2. The caller asks you to provide sensitive information. Remember that legitimate institutions never ask for login credentials or other sensitive information over a phone call.

3. The caller tries to create a sense of urgency

4. The caller uses scare tactics to force you to act quickly

5. The callers are reluctant to provide the information necessary to verify their identity

6. You receive an SMS directing you to call a particular phone number. Never call such numbers, instead contact the organization directly via known official channels.

If you notice any of the above signs while on a phone call, it is highly likely that the caller is a scammer.

Your most important defense against vishing is awareness. Knowing how the vishing scams work and their signs enables you to identify such scams and stop them before they can cause any harm. In addition, here are some steps to protect yourself against vishing scams:

1. Don’t Answer Calls From Unknown Numbers

If you don’t pick up vishing calls, the scammers can do absolutely nothing and you will be completely safe. Let calls from unknown numbers go to voicemail. This gives you enough time to listen to the message, evaluate whether it is legitimate, and decide to call back or not.

2. Don't Press Buttons Or Respond To Prompts

Scammers often use automated messages that prompt recipients to respond by pressing buttons or speaking. This trick enables them to identify potential targets for more robocalls and other cyberattacks.

3. Verify The Caller's Identity

Ask questions and seek information that can verify the identity of the caller and their association with the organization they claim to be calling from. If the caller is reluctant to provide this information, it is highly likely that they are part of a scam. If they do provide the information, ask for a call back to allow you time to verify their identity independently.

4. Hang Up The Call

If at any moment of a call, you feel that it might be a vishing call, don’t feel obliged to carry on the conversation. Immediately hang up and block the number.

5. Add Your Phone Number To The National Do Not Call Registry

Adding your phone number to the National Do Not Call Registry prevents telemarketers from calling you. While this does not prevent scammers from calling, it does make it less likely that your number will end up with the scammers through stolen phone lists.

If you suspect that you have fallen victim to a vishing scam, here are the steps you need to take:

1. Immediately contact your IT team. They will help you with remedial actions and the best course of action to secure your accounts and devices.

2. If you disclosed any banking information or credit card details to the scammer, Immediately contact the customer service department of the accounts that you fear may have been compromised.

3. If you disclosed your social security number to the scammer, contact the consumer credit reporting agencies. This is necessary to prevent identity theft, which can allow people to open fraudulent accounts in your name.

4. File a complaint with the Federal Trade Commission.

5. It is also a good idea to file a report with the police. If the scammers conduct fraud using your personal information, the police report is useful to prove that you were the victim of identity theft.

Conclusion

Vishing attacks are cleverly crafted to trick you into divulging sensitive information and defrauding you of your money. These scams are usually low-tech and rely on social engineering techniques. It is possible to stop these kinds of voice phishing scams by learning to identify the red flags before responding to requests or demands over the phone.

Regular cybersecurity awareness training helps improve your ability to spot vishing, smishing, and phishing scams. If you are a Jones IT customer, feel free to reach out to your dedicated consultant to schedule Cybersecurity training. If you are not yet our customer, click the button below to learn how we can help improve your organization’s cybersecurity.

If you liked the blog, please share it with your friends